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Abstract 

Algebraic immunity has been proposed as an important property 
of Boolean functions. To resist algebraic attack, a Boolean function 
should possess high algebraic immunity. It is well known now that 
the algebraic immunity of an n-variable Boolean function is upper 
bounded by . In this paper, for an odd integer n, we present a 
construction method which can efficiently generate a Boolean function 
of n variables with maximum algebraic immunity, and we also show 
that any such function can be generated by this method. Moreover, 
the number of such Boolean functions is greater than 2^" . 

Keywords. Algebraic attacks, algebraic immunity, annihilators. Boolean 
functions. 



1 Introduction 

Recently, Algebraic attack has gained a lot of attention in crypt analysing 
stream and block cipher systems 0-0 • The study on algebraic attack adds 
an important property of Boolean functions to be used in cryptosystems. 
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which is known as algebraic immunity. Possessing high algebraic immunity 
is a necessary requirement for a Boolean function when used in a cryptosys- 
tem. Now, it is known that the algebraic immunity of an n-variable Boolean 
function is upper bounded by [f ] 0. 

Boolean functions with maximum algebraic immunity are an important 
class of Boolean functions, and there is an increasing interest in construction 
of such Boolean functions. In [H], D. K. Dalai et al. first presented a con- 
struction method which can generate some Boolean functions with maximum 
algebraic immunity. This construction provides only one high dimension 
Boolean function from a low dimension Boolean function, so it can provide 
only a few of such Boolean functions. Then, a construction [7] keeping in 
mind the basic theory of annihilator immunity was presented. In |H], the au- 
thors gave three construction methods which each can get a class of Boolean 
functions with maximum algebraic immunity from one such given function. 
Several classes of symmetric Boolean functions of an even number of vari- 
ables with maximum algebraic immunity were presented in 0. However, the 
number of symmetric Boolean functions given by them is small. Moreover, it 
was showed that there exists only one symmetric Boolean function (besides 
its complement) of an odd number of variables with maximum algebraic im- 
munity pni- So far, there is no literature which pointed out that how many 
on earth such Boolean functions are and how one can construct an arbitrary 
such function. 

In this paper, for an odd integer n, we convert the problem of finding an n- 
variable Boolean function with maximum algebraic immunity to the problem 
of finding a k x k invertible submatrix of a 2"~^ x 2"~^ invertible matrix. 
Thereby we present a construction method which can efficiently generate an 
n-variable Boolean function with maximum algebraic immunity, and we also 
show that any such function can be constructed by this method. Finally, we 
show that the number of such Boolean functions is equal to the number of 
k X k invertible submatrixes of a 2"~^ x 2""^ invertible matrix, and thus the 
number of Boolean functions of an odd number of variables with maximum 
algebraic immunity is greater than 2^" . 

2 Preliminaries 

Let F2 be the set of all n-tuples of elements in the finite field F2. To avoid 
confusion with the usual sum, we denote the sum over F2 by ©. 

A Boolean function of n variables is a mapping from F2 to F2. Any 
Boolean function f of n variables can be uniquely represented as 
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f{Xi , . . . , 2^n) — CLq ® ^ ^ Q-iXi © ^ ^ di jXiXj © ... © Q,l,...,n2^1^2 ■ • • 

l<i<n l<*<i<" 

where the coefficients oq, Oj, ajj, . . . , ai,...,„ G F2. And such form of / is called 
the algebraic normal form (ANF) of /. The algebraic degree, deg(/), is the 
number of variables in the highest order term with nonzero coefficient. The 
Boolean function / can also be identified by its truth table which is the 
vector of length 2" consisting of the function values. The set of X G for 
which f{X) = 1 (resp. f{X) = 0) is called the onset (resp. offset), denoted 
by 1/ (resp. 0/). The cardinality of 1/ is called the Hamming wight of /, 
denoted by wt{f). We say that an n- variable Boolean function / is balanced 
if wt{f) = Let S = (si, S2, . . . , Sn) G F2, the Hamming weight of S, 

denoted by wt{S), is the number of I's in {si, S2, ■ ■ ■ , 

Definition 1 [TT]. For a given n-variable Boolean function f , a nonzero 
n-variahle Boolean function g is called an annihilator of f if f ■ g = 0, and 
the algebraic immunity (AI) of f , denoted by AI{f), is the minimum value 
of d such that f or / © 1 admits an annihilating function of degree d. 

An important step in the algebraic attack is to find out low degree an- 
nihilators of a Boolean function or its complement. Thus in order to resist 
algebraic attacks, neither the Boolean function nor its complement used in a 
cryptosystem should have an annihilator of low degree. That is, the Boolean 
function should have high algebraic immunity. In the next section, we will 
present a construction method to generate Boolean functions of an odd num- 
ber of variables which achieve the maximum algebraic immunity. 

3 Construction and Count 

Let / be a Boolean function of n variables, and 

1/ = {-'^l , • • • , ^Wt{f) } , 0/ = + l , . . . , } . 

It is clear that an n-variable Boolean function g is an annihilator of / if and 
only if If C Og. For X = { ) G F9, we let 

which belongs to F^"^^"^ ^^"^ . Let V{lj) be the wt{f) x yIS'^ fi) ma- 
trix with row vectors v{Xi), . . . ,v{Xu,t{f)) and ^(0/) the (2" — wt{f)) x 

[-1-1 

Ylii=o (i) matrix with row vectors . . . , t;(X2n). 
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Lemma 1. Let f be a Boolean function of n variables. Then AI{f) = 
1"^] if and only if the ranks ofV{lf) and V{Of) are both J2i=o (T) ■ 

Proof. If there exists a linear relationship among the columns of 1^(1/) (resp. 
V{Of)), then an annihilator of / (resp. /©I) with degree less than 1"^] can 
be found. On the other hand, if there is an annihilator of / (resp. / © 1) 
with degree less than , then there must exist a linear relationship among 
the columns of V{lf) (resp. V{Of)). Therefore, Al(/) = j"^] if and only if 

the ranks of V{lf) and 1/(0/) are both YllS'^ (")• 

□ 

Note that for odd integer n, Yli=o (") ~ 2"~^, and any n-variable 
Boolean function with maximum algebraic immunity must be balanced [T^ . 
Furthermore, such functions have the following property. 

Lemma 2. llSf Let odd integer n = 2t + 1, and f be an n-variable 
balanced Boolean function. If f does not have any annihilator with degree 
less than t + 1, then / © 1 has no annihilator with degree less than t + 1. 
Consequently, AI{f ) = t + 1. 

Corollary 1. Let odd integer n = 2t + l and f be an n-variable Boolean 
function. Then, AI{f) = t -\- 1 if and only if f is balanced and V{lf) is 
invertible. 

Lemma 3. Q^J^ Let odd integer n = 2t + 1 and f be an n-variable 
Boolean function which satisfies 

ffX] = i wt{X) < t 

' \ a© 1 if wt{X) > t ' 

where a G F2, then AI{f) = t + 1. 

Remark 1. If a = 1, we denote the function described in Lemma 3 by 

Let odd integer n = 2t + 1, F„ be a Boolean function of n variables with 
maximum algebraic immunity (for example, F„ = and we may let 

1f^ = {Y,,..., K,n-i}, Of„ = {Zu..., Z2^-i}. 

Then V{1f^) and V{Of^) are both 2"~^ x 2"^^ square matrixes, and their 
row vectors are f (li), . . . , f (l2"~i) and v{Zi), . . . , t>(Z2n-i) respectively. By 
Lemma 1, V{1f^) and V{Of^) are both invertible matrixes. It is clear that a 
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Boolean function / is balanced if and only if there exist some integer < A; < 
2"-\ integers 1 < ii < . . . < ife < 2"-^ and integers 1 < ji < . . . < ife < 2"-^ 
such that 

lf^{Zi„...,Zi^}UlpMYj„...,Yj^} 

and 

Of-{Yn,...,Yj^}^OFMZi„...,Z,^}. 

So, for some integer 1 < A; < 2"^"^, if we can find some integers 1 < 
ii < ■ ■ ■ < ik < 2""-*^ and integers I < ji < ■ ■ ■ < jk ^ 2""-*^, such that 
the 2"'~^ X 2"-^^ matrix with the set of row vectors {v{Zi-^), . . . ,v{Zi^)} U 
^{^F„)\{v{yji), ■ ■ ■ ,v{Yji^)} is invertible, then by Corollary 1, we can con- 
struct a balanced n- variable Boolean function /(ii,...,i^.;ji,...jj^.)(X) with maxi- 
mum algebraic immunity as follows 

f / -^n(^) © 1 X ^ {Zii, ■ ■ ■ ■ ■ ■ (-,\ 

J{n,...,ik-,h,..-,3k)K^) - I p^i^x) else ' 

This is the core idea of our construction. The following is a basic conclusion 
of vector space. 

Lemma 4. Let U he an m-dimension vector space with m >2, {ai, . . . , 
am} and {/3i, . . . , (3m} two bases of U . Then, for integer 1 < k < m — 1 and 
integers 1 < ii < . . . < ik < m, there always exist some integers 1 < ji < 
. . . < jm-k ^ such that 

{.^h ) • • • ) '^ik 1 l^h ) ■ ■ ■ ) Pjm-k } 

is also a base of U. 

Corollciry 2. Let odd integer n — 2t + l, Fn be a Boolean function of n 
variables with maximum algebraic immunity and 1f„ = {^i, • • • , ^"-i}, Of„ = 
{Zi, . . . , ^2^-1}. Then, for any integer 1 <k < 2"~^ — 1 and integers 1 <ii < 
■ ■ ■ < ik ^ 2"~^, there always exist some integers 1 < ji < ■ ■ ■ < jk ^ 2"'~^, 
such that = t + l, where f{n,...,i^-j,,...,j^) %s defined by (1). 

Proof. Since Vilp^) and V^(Oir^) are both invertible, then {v{Yi), . . . , v(l2"-i)} 



n-l 



and {f (Zi), . . . , v{Z2n-i)} are two bases of 2"^~ ^-dimension vector space F: 
By Lemma 4, for any integer 1 < k < 2"~^ — 1 and integers I < ii < 
■ ■ ■ < ik ^ 2"~^, there always exist some integers 1 < ji < ■ ■ ■ < jk < 
2"-i, such that {v{Zi,), v{Zi,)}UV{lFj\{v{Yj,), v{Yj,)} is a base of 
F2" . That is, the matrix with the set of row vectors {v{Zi^), . . . , v{Zii^)} U 
yi^Fj\{v{YjJ, v{Yj^)} is invertible. Therefore Al{f(n,...,i^;j,,...,j^)) = t + 
1. □ 
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Next, we show how to find those I < ji < 
l<k< 2"-^ - 1 and 1 < ii < . . . < ifc < 2"-^ 



< jk ^ 2" for given 



A useful matrix Let odd integer r?, = 2t + 1, F„ be a Boolean 

function of n variables with maximum algebraic immunity and 1f„ = {Yi, . . . , 
F2"-i},0f„ = {Zi, . . . , Zan-i}. Set 

W{F^) = V{0fJV{1fJ-\ 

Then W{Fn) is a 2^~^ x 2"~^ invertible matrix. Denote the 2^~^ row vectors 
of W{Fn) by w{Fn)i, ■ ■ ■ ,w(F„)2n-i. Prom the definition of W{Fn), we have 
l/(O^J=^(F„)F(lfJ,thatis, 

/ v{Z,) \ [ w{Fn), \ ( v{Y,) \ 

v{Y2) 



v{Z2) 

\ v{Z2n-l) J 



w{Fn)2 

V w{Fn)2n-l J 



\ v{Y2n-l) J 



The following theorem is one of our main result. 

Let M^(i^n)(n, .••,«*:) denote the A;x2"^^ matrix with row vectors . . . , 

w{Fn)i^ and M^(-^n)(ii,...,ife;ii,...jfe) denote the kx k matrix with column vectors 
equal to the jith, . . . ,jkth columns of V1^(-Fn)(ii,...,ifc)- 

Theorem 1. Let odd integer n = 2t+l, Fn be a Boolean function of n 
variables with maximum algebraic immunity and 1f„ = {^i, • • • , ^"-i}, 0^?^ = 
{Zi, . . . , Z2n-i}. Then, the set 

= 0, . . . , T-\ 1 < 21 < . . . < ^fc < 2'^-\ 
l<ji<---<jk< 2""\ M^(^n)(n,...,ife;ji,...jfe) is invertible} 

consists of all n-variable Boolean functions with maximum algebraic immu- 
nity, where f{h,...,ik;ji,-,jk) defined by (1) and VK(Fn)(n,...,H;ji,...jfc) is defined 
as above. 

Proof. Since an n-variable Boolean function / with maximum algebraic im- 
munity must be balanced, then / must be of the form De- 
note the remaining elements of Ip^ (resp. 0^^) excluding Yj^, . . . ,Yj^ (resp. 
^ii, • • • , Zi^) by Ffc+i, . . . , ^2^-1 (resp. Z'^^^, Z'^„_,). Then 
is a 2"~^ X 2'^~^ matrix with row vectors 

v{Zi^), ^(ZiJ, . . . , v{Y^n-i). 
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By Corollary 1, AI(/(i,,...,i^.,-^,...,,-^)) = t + 1 if and only if V^(l/(,^,...,,^^,^,....,^)) 
is invertible. Therefore, it is sufficient to prove that V(lf,. . . . .) is 

invertible if and only if VF(-Fn)(ii,...,ifc;ji,...jjt) is invertible. 

Let M denote the k x {2"'~^ — k) matrix with column vectors equal to the 
remaining columns of VF(F„)(j^ ... j^.) which is defined as above, such that 



Then, we have 



M 



k+l) 



( v(Zi,) \ 

V ^(^2"-l) I 



( W^(Fn)(n,...,i.;.i,...J.) M \ 

1 





(2) 



From (2), it is obvious that V{lf^.^ .^^) is invertible if and only if the 

matrix 

M \ 

1 



{ii,—,ik;ji,—,jk) 





v 



(3) 



1/ 



is invertible. Further, the matrix (3) is invertible if and only if W^(Fn)(n,...,ifc;ji,...,jfc) 
is invertible. Thus the proof is completed. 

□ 

Remark 2. Since W{Fn) is a 2""-^ x 2"~^ invertible matrix, for any 
integer 1 < k < 2'^~^ — 1 and integers 1 < ii < . . . < ife < 2"~^, the rank of 
the k X 2'^~^ matrix . j^,) is k, which means there must exist some 

integers 1 < ii < . . . < j'fc < 2"^"^ (we note that there may exist many groups 
of these integers) such that VF(-Fn)(ii,...,i^.;ji,...j^.) is invertible. We can also 
derive Corollary 2 by this fact. 

In order to efficiently generate Boolean functions of an odd number of 
variables with maximum algebraic immunity, we should choose those F„ such 
that W{Fn) can be efficiently obtained. We note that G„ is such a function. 
Now, we explain how to obtain the matrix W{Gn). We denote the elements 
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of 1g„ and Og„ by some special symbols. Let 1(5^,...,,,.) = (2/1, ... , ?/„) G 1g„, 
where 1 < bi < . . . < bi < n. The symbol y(fei,.,,,fe.) means that wt{Y(^hi,...,bi)) ~ 
i and Us — i only for s = 61, . . . , 6^. Let Y'(o) denote (0, . . . , 0). Similarly, let 
Z{au...,ai) = (-21, • • • , -2n) G Og„, where 1 < fli < . . . < a; < n. The symbol 
Z{ai,...,ai) means that wt{Z(^ai,....ai)) = ^ and Zs = 1 only for s = Oi, . . . ,a;. It 
is clear that wt{Z(^ai,...,ai)) > ^ + 1 since Z(^ai,...,ai) £ Og„. Then, the vector 
^ (-2^(01, ...,ai)) can be expressed as a linear combination of the row vectors of 
V{1g„) as follows. 

v{Z^a,,...,ai)) = Co v{Y^b^,...,bt)) 
{bi,...,bt}C{ai,...,ai} 

® ci v{Y^bu...,bt-i)) 

{6i,...,&t_i}C{ai,...,aj} 

®C2 v{Y^b,,...,b,-2)) ® ■ ■ ■ (4) 

{6i,...,6t_2}C{ai,...,o;} 

® Q Y ® • • • 

{6i,...,6t_i}C{ai,...,ai} 

®ct_i Y ^(%))®Ctt;(y(o)), 

{6i}C{ai,...,aJ 



Co = 1; 

Q = 1 ® Co ( J © Ci ( . ^ , 1 © ... © Ci_i ^ 



where 



Prom (4), we get the corresponding row vector of W{Gn)- And the other row 
vectors of W{Gn) can also be obtained by this method. 
Now, we derive our important result. 

Construction. Let odd integer n = 2t + 1, 1^^ = {Yi, . . . , Y2r^-i}, Og„ — 
{Zi, . . . , Z2n-i}. To find a Boolean function of n variables with maximum 
algebraic immunity, what one has to do is the following steps. 

Step 1: Select randomly an integer 1 < A; < 2**"^ — 1 and k integers 
1 < ii < . . . < Zfe < 2"-i; 

Step 2: Using Gauss elimination on the column vectors of W{Gn){ij^,...,i,.), 
find a group of integers 1 < ii < . . . < jfc < 2"'\ such that the jith, . . . , jkth 
column vectors of VF(Gn)(n,...,ife) are linear independent. 
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We construct the Boolean function as follows. 

, . _ J © 1 \i X e {Zi^, . . . , Zi^,Yj^, . . . ,Yj^} 

(5) 

Then f(i^,„.^i^-j^^...j^) achieves the maximum algebraic immunity t + 1. 

Remark 3. (i) By Theorem 1, it is clear that any Boolean function of 
an odd number of variables with maximum algebraic immunity can be con- 
structed by our method. 

(ii)Since AI{f')=AI{f ® 1), The range of value of k in Step 1 only needs 
to bel<k< 2"-2. 

(Hi) For a small k, one can efficiently generate an n-variable Boolean 
function with maximum algebraic immunity. For example, when k = 1, we 
first select randomly an integer 1 < i < T^^^ according to Step 1. then 
according to Step 2, we can select any integer 1 < j < 2"^^ such that the jth 
element of w{Gn)i is 1. Thus we generate a Boolean function f{i;j). 

Finally, we get a result on the count of Boolean functions of an odd 
number of variables with maximum algebraic immunity. 

Theorem 2. Let n be an odd integer, then the number of n-variable 

Boolean functions with maximum algebraic immunity is equal to the number 
of k X k invertible submatrixes ofW{Gn). Further, it is greater than 2^" . 

Proof. It is clear that for different groups of integers {ii, . . . ,ik', ji, ■ ■ ■ ,jk), 
the Boolean functions defined by (5) are different. 

By Theorem 1, the first conclusion is obvious. By Corollary 2 and Remark 
3, it is clear that the number of n-variable Boolean functions with maximum 
algebraic immunity is greater than 

on— 1\ /on— 1\ /on— 1\ 

^ \ I ^ \ I ^ \ _2^— 1 



/ ■ V 1 y+-n2»-'=2 



□ 



4 Conclusion 

In this paper, we present a construction method which can efficiently generate 
a Boolean function of an odd number of variables which possesses maximum 
algebraic immunity, and we show that any such function can be generated 
by this method. Based on the construction, we show that the number of this 
kind of Boolean functions is greater than 2^" . This value is great enough 
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to reveal that this kind of Boolean functions are numerous. There are some 
other problems worth studying. For example, how to construct and count 
Boolean functions of an even number of variables with maximum algebraic 
immunity, how to construct and count Boolean functions with maximum 
algebraic immunity keeping in mind of other cryptographic properties such 
as nonlinearity, propagation and resiliency. 
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